SBN

Video: TrickBot and ETERNALCHAMPION

This video tutorial is a walkthrough of how you can analyze the PCAP file
UISGCON-traffic-analysis-task-pcap-2-of-2.pcap
(created by Brad Duncan).
The capture file contains a malicious Word Document (macro downloader), Emotet (banking trojan),
TrickBot/Trickster (banking trojan) and an EternalChampion (CVE-2017-0146)
exploit used to perform lateral movement.

Network Diagram

Network Diagram

Timeline of Events

FrameTime (UTC)Event
82518:55:32Malicious Word doc [cosmoservicios.cl]
109918:56:04Emotet download [bsrcellular.com]
502419:00:41Trickbot “radiance.png” download
960419:01:34Client credentials exfiltrated [200.29.24.36:8082]
991519:01:36ETERNALCHAMPION exploit from client to DC
1042419:01:51Client sends .EXE files to \\10.1.75.4\C$\WINDOWS\
1107819:01:51Client infects DC with Trickbot via rogue service
1431419:07:03DC credentials exfiltrated [200.29.24.36:8082]

OSINT Links Opened

Tools Used

Network Forensics Training

Wanna improve your network forensics skills? Take a look at our
trainings,
the next scheduled class is on March 18-19 at the
TROOPERS conference in Germany.

Facebook Share on Facebook  Twitter Tweet  Reddit Submit to reddit.com


*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: http://www.netresec.com/?page=Blog&month=2019-01&post=Video%3A-TrickBot-and-ETERNALCHAMPION